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(54) A user-computer interaction method for use by flexibly connectable computer systems 



(57) A user-coPTputer interaction method tor use by 
a population of flexibly connectible computer systems 
and a populatien of mobile users, the method compris- 
ing storing information characterizing each mobile user 
on an FCCS plug to be borne by that mobile user; and 
accepting the FCCS plug from the mobile user for con- 
nection to one of the flexibly connectible computer sys- 
tems and employing the information characterizing the 
mobile user to perform at least one conputer operation. 
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Description 

FIELD OF THE INVENTION 

[0001] The present invention relates to flexibly con- 
nectible computer apparatus and methods for using 
flexibly connedlble hosts. 

BACKGROUND OF THE INVENTION 

[0002] The USB interface Is described in specifica- 
tions available over the Internet at www.usb.org. 
[0003] Firewire technology, also termed "IEEE 1394 
technology", is an alternative to USB which also pro- 
vides flexible connectivity and is described in the IEEE 
1394 standard. 

[0004] USBHasp is an Aladdin software protection 
product, announced in October 1997, which includes a 
USB key. USBHasp does not control access of a user to 
a computer network but rather impedes interaction 
between software and a computer system by activating 
a copy of the software only if a USB key corresponding 
to that copy is plugged into the computer system. 
[0005] Conventionally, the only devices which have 
interacted via USB have been computers, keyboard, 
monitor, printer, mouse, smart card readers, and bio- 
metric readers. 

[0006] Conventional devices for providing compu- 
terized servicing to a mobile or stationary population of 
users typically include a smart card reader. The mem- 
bers of the mobile population bear smart cards which 
are used to interact with the computerized servicing 
device via the srfiart card reader. 
[0007] A particular disadvantage of smart cards is 
that they require a smart card reader which is a rela- 
tively costly device. Connputer hosts which are equipped 
with a smart card reader are a small subset of the uni- 
verse of computer hosts because addition of a smart 
card reader makes the computer considerably more 
expensive. 

[0008] German Patent document DE 19631050 
describes an interface convener tor a universal serial 
bus having a module with a processor that changes for- 
mat and protocol into that of a different bus system. 
[0009] Rainbow Technologies. Inc.. in a news 
release dated 17 November 1998, announce USB soft- 
ware protection keys which can also be used as authen- 
tication or access control devices. A unique ID number 
if assigned to each USB key. enabling the key to replace 
or supplement personal passwords. The unique ID of the 
USB key makes it useful as a notebook computer secu- 
rity device providing theft deterrence. Other uses for the 
USB keys include Web access control, client token for 
Virtual Private Network access, replacement for pass- 
word generator tokens and storage of credentials, certif- 
icates and licenses. 

[0010] In a news release dated 19 January 1999. 
Rainbow Technologies, Inc. announce a new line of 



USB tokens for VPNs (virtual private networks) which 
provides end user client authentication to VPNs and 
enables operator access to secured network equip- 
ment. Features of these tokens include Internet secu- 
5 rity small enough to fit on a key-ring" and 
"personalization for the end user". The tokens allow a 
user to keep personal information in his or her pocket 
rather than on a hard drive. 

[0011] A new "unique per individual" model of its 
10 USB based tokens was announced by Rainbow Tech- 
nologies Inc. on 15 March 1999. 
[0012] The disclosures of all publications men- 
tioned in the specification and of the publications cited 
therein are hereby incorporated by reference. 

15 

SUMMARY OF THE INVENTION 

[0013] The present invention seeks to provide 
inproved flexOsly connectible apparatus and improved 

20 methods for using the same. 

[0014] There is thus provided, in accordance with a 
preferred embodiment of the present invention, a user- 
computer interaction method for use by a population of 
flexibly connectible computer systems and a population 

25 of mobile users, the method including storing informa- 
tion characterizing each mobile user on an FCCS plug 
to be borne by that mobile user and accepting the FCCS 
plug from the mobile user for connection to one of the 
flexibly connectible computer systems and employing 

30 the information characterizing the mobile user to per- 
form at least one computer operation. 
[0015] Further in accordance with a preferred 
embodiment of the present invention, at least one com- 
puter operation comprises authentication. 

35 [0016] Also provided, in accordance with another 
preferred embodiment of the present invention, Is a an 
FCCS plug device to be borne by a mobile user, the 
FCCS plug device including a portable device which 
mates with a flexibly connectible computer system and 

40 comprises a memory and information characterizing the 
mobile user and stored in the memory accessibly to the 
flexibly connectible computer system. 
[0017] Also provided, in accordance with another 
preferred embodiment of the present invention, is a pop- 

45 ulation of FCCS plug devices to be borne by a corre- 
sponding population of mobile users, the population of 
FCCS plug devices including a multiplicity of portable 
devices each of which mates with a flexibly connectible 
computer system and comprises a memory and infor- 

50 mation characterizing each mobile user in the popula- 
tion of mobile users and stored, accessibly to the flexibly 
connectible computer system, in the memory of the 
FCCS plug device to be borne by the mobile user. 
[0018] Additionally provided, in accordance with 

55 another preferred embodiment of the present invention, 
is an FCCS plug device including a mating element 
operative to mate with a flexibly connectible computer 
system and a memory connected adjacent the mating 
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element, thereby to form a portable pocket-size plug, 
wherein the memory is accessible to the flexibly con- 
nectible computer system via the mating element. 
[0019] Also provided, in accordance with another 
prefen-ed embodiment of the present invention, is an 
FCCS plug device including a mating element operative 
to mate with a flexibly connectible computer system and 
a CPU connected adjacent the mating element thereby 
to form a portable pocket-size plug, wherein the CPU 
has a data connection to the flexibly connectible compu- 
ter system via the mating element. 
[0020] Further in accordance with a preferred 
embodiment of the present invention, the FCCS plug 
device also connprises a CPU connected adjacent the 
mating element, thereby to form a portable pocket-size 
plug, wherein the CPU has a data connection to the 
flexibly connectible computer system via the noting ele- 
ment, 

[0021] Still further in accordance with a preferred 
embodiment of the present invention, at least one com- 
puter operation comprises digital signature verification 
and/or controlling access to computer networks. 
[0022] Further in accordance with a prefen-ed 
ennbodiment of the present invention, the information 
characterizing each mobile user conrprises sensitive 
information not stored in the computer system, thereby 
to enhance confidentiality. 

[0023] Also provided, in accordance with another 
preferred embodiment of the present invention, is a 
user-computer interaction method for use by a popula- 
tion of flexibly connectible conputer systems arxj a pop- 
ulation of mobile users, the method including 

storing confidential information not stored by the 
flexibly connectible computer systems on an FCCS 
plug to be borne by an individual user within the 
population of mobile users and 
accepting the FCCS plug from the mobile user for 
connection to one of the flexibly connectible compu- 
ter systems and enrploying the confidential informa- 
tion to perform at least one computer operation, 
thereby to enhance confidentiality. 

[0024] Preferably the apparatus also includes a 
microprocessor operative to receive the USB communi- 
cations from the USB interface, to perform computa- 
tions thereupon and to provide results of the 
computations to the data storage unit for storage and/or 
for encryption and/or for authentication anchor for 
access control. 

[0025] The term "USB port" refers to a port for con- 
necting peripherals to a computer which is built accord- 
ing to a USB standard as descrit^ in USB 
specifications available over the Internet at 
wvw.usb.org; 

[0026] The term "USB plug" or "^USB key** or "USB 
token" refers to a hardware device whose circuitry inter- 
faces with a USB port to perform various functions. 



[0027] The term "smart card" refers to a typically 
plastic card in which is embedded a chip which interacts 
with a reader, thereby allowing a mobile bearer of the 
smart card to interact with a machine in which is 

5 installed a smart card reader, typically with any of a net- 
work of machines of this type. 
[0028] Also provided in accordance with a preferred 
embodiment of the present invention is an electronic 
token, which preferably mates with a flexible connection 

10 providing port such as the USB port of any computer 
system such as a PC. laptop, patnrtop or peripheral. The 
electronic token preferably does not require any addi- 
tional reading equipment. The token may authenticate 
information and/or store passwords or electronic certifi- 

75 cates in a token which may be the size of a domestic 
house key. 

[0029] Preferably, when the token is inserted into a 
flexible connection providing port, a highly secure "dual 
factor authentication" process (e.g. "what you have" 
20 plus "what you know") takes place in which (a) the elec- 
tronic token is "read" by the host PCC or network and 
(b) the user types in his or her personal password for 
authorization. 

[0030] Suitable applications for the electronic token 
25 include authentication for VPN, extranet and e-com- 
merce. 

[0031] The present invention also seeks to provide 
improved USB apparatus and improved methods for 
using the same. 

30 [0032] There is thus provided, in accordance with 
another prefen'ed embodiment of the present invention. 
USB key apparatus for interacting with a USB host via a 
USB port, the USBIcey apparatus including a portable 
device configured to fit the USB port, the portable 

35 device including a USB interface conveying USB com- 
munications to and from a USB host, a protocol transla- 
tor operative to translate the USB communications from 
USB protocol, into smart card protocol such as an 
IS07816 protocol, and from smart card protocol into 

40 USB protocol and a smart card chip operative to per- 

- - form at least one smart card function such as authenti- 
cation, encryption, access control arxj secure menfH)ry. 
[0033] Also provided, in accordance with another 
preferred embodiment of the present invention, is USB 

45 key apparatus with data storage capabilities, the USB 
key apparatus including a portable device such as a 
PCB. configured to fit the USB port, the portable device 
including a USB interface conveying USB communica- 
tions to and from a USB host and a data storage unit 

50 Storing information derived from the USB communica- 
tions. 

BRIEF DESCRIPTION OF THE DRAWINGS 

55 [0034] The present invention will be understood 
and appreciated from the following detailed description, 
taken in conjunction with the drawings in which: 
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Fig. 1 is a simplified block diagram of a USB plug 
device including a CPU and a non-IS07816 mem- 
ory, the USB device being constructed and opera- 
tive in accordance with a preferred embodiment of 
the present invention; 

Fig. 2 is a sinrtpiified block diagram of a USB plug 
device including a CPU and a IS07816 memory, 
the USB device being constructed and operative in 
accordance with a preferred embodiment of the 
present invention; 

Fig. 3 is an exploded front view of an FCCS plug 
constructed and operative in accordance with a 
preferred embodiment of the present invention and 
implementing the USB plug device of Fig. 1 ; 
Rg. 4 is an exploded view of an FCCS plug con- 
structed and operative in accordance with a pre- 
ferred embodiment of the present invention and 
implementing the USB plug device of Fig. 2; and 
Rgs, 5A - 5B pictorially illustrate a user-computer 
interaction method provided in accordarx:e with a 
preferred embodiment of the present invention for 
use by a population of flexibly connectible computer 
systems and a population of mobile users. 

DETAILED DESCRIPTION OF PREFERRED EMBOD- 
IMENTS 

[0035] Reference is now made to Fig. 1 which is a 
simplified block diagram of a flexibly connectible USB 
plug device including a CPU and a non-IS07816 mem- 
ory, the USB device being constructed and operative in 
accordance with a preferred embodiment of the present 
invention. ' ^ 

[0036] A particular feature of the USB plug device 
of Fig. 1 is that it has data storage capabilities and is 
thus analogous to a memory smart card. 
[0037] The USB plug device 10 conrtprises a PCB 
25 which includes a microprocessor or CPU 30 such as 
a Motorola 6805. Cypress chip or Intel 8051; a USB 
interface device 40; firmware memory 50 serving the 
firmware of the microprocessor 30; RAM memory 60 of 
size sufficient to enable contemplated computations on 
the part of the microprocessor 30; and user data mem- 
ory 70 which stores a user*s data. Some or all of the 
USB interface device 40, firmware memory 50 and RAM 
memory 60 may be within the CPU 30. 
[0038] The USB interface device 40 and/or the 
firmware memory 50 may be integrated inside the 
microprocessor 30. 

[0039] The firnrtware memory may be any suitable 
type of memory such as but not limited to ROM. 
EPROM. EEPROM or FLASH. 
[0040] The user data memory 70 typically does not 
include IS07816-3 memory and may. for exanrtple, com- 
prise any of the following types of memory: I^C. XI^C. 
2/3 wire bus. FLASH. 

[0041] As shown, the USB plug device 1 0 is config- 
ured to interact with any USB host 20 such as but not 



limited to a personal computer or Macintosh having a 
USB port. Key-host interaction is governed by a USB 
protocol such as the USB protocol described in the USB 
specifications available over the Internet at 
5 www.usb.org. USB packets pass between the USB host 
20 and the USB interface chip 40. Each packet typically 
includes the following components: 

a. USB header; 

10 b. Data to be stored/read on the user's data mem- 
ory 70. plus additional information required by pro- 
tocols of the memory chip 70. such as but not 
limited to the address to store/read the data, the 
length of data to store/read, and CRC checksum 

15 information. 

c. USB footer. 

[0042] The flow of data typically comprises the fol- 
lowing flow: 

20 [0043] The USB interface chip 40 receives USB 
packets from the USB host 20. parses the data, and 
feeds the parsed data to the microprocessor 30. The 
microprocessor 30 writes the data to, or reads the data 
from, the firmware memory 50, the RAM 60 or the user's 

25 data memory 70, using each memory's protocol. 

[0044] In read operation, the microprocessor 30 
passes the data to the USB interface chip 40 which 
wraps the data in USB packet format and passes it to 
the host 20. 

30 [0045] Fig. 2 is a simplified block diagram of a USB 
plug device, constructed and operative in accordance 
with a preferred embodiment of the present invention, 
which is a one-piece smart card reader and smart card 
chip preferably providing both secured storage and 

35 ayptographic capabilities. The USB plug device of Rg. 
2 includes both a CPU and a smart card chip (ICC) 
memory 170, typically a IS07816 (T = 0/1) protocol- 
based chip communicating with the CPU 130 using an 
IS07816-3 protocol. The apparatus of Fig. 2 is similar to 

40 the apparatus of Fig. 1 except that no separate user's 
data memory 70 is provided. The size of the RAM 160 is 
typically at least 262 bytes in order to support the ISO 
781 6_3 T=0 or Td protocols. 

[0046] Each packet typically includes the following 
45 components: 

a. USB header; 

b. IS07816-3 T=0/1 protocol packet; 

c. USB footer. 

50 

[0047] The flow of data in the apparatus of Fig. 2 
typically comprises the following flow: 
[0048] The USB interface chip 140 gets USB pack- 
ets from the USB host 120. The USB interface chip 140 
55 parses the data and passes it to the microprocessor 
130. The data, which typically comprises a IS07816-3 
T=0/1 formatted packet, is passed by the microproces- 
sor to the smart-card 170 in a IS07816-3 protocol. Th 
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microprocessor 130 gets the response from the smart 
card 160 and passes the data to the USB interface chip 
140. The USB interface chip 140 wraps the data in USB 
packet format and passes it to the host 120. 
[0049] A particular advantage of the embodiment of 
Fig. 2 is that smart card functionality is provided but 
there is no need for a dedicated reader because the 
plug 1 10 is connected directly to a USB socket in the 
host 120. 

[0050] The invention shown and described herein is 
particularly useful for computerized systems serving 
organizations which process sensitive information such 
as banks, insurance companies, accountants and other 
commercial organizations, and professional organiza- 
tions such as medical or legal organizations. 
[0051] Conventional computer systems include a 
computer (comprising a motherboard) and at least one 
peripherals. The computer has a number of different 
ports which respectively mate with the ports of the vari- 
ous peripherals. Each port typically can mate with only 
certain peripherals and not with other peripherals. For 
example, the keyboard cannot be connected to the 
computer via the computer's printer port. 
[0052] In state of the art computer systems, also 
termed herein llexibly connective computer systems", 
the computer and the peripherals each include at least 
one identical ports having mating ports on any other 
computer and any other peripheral such that any 
peripheral can be selectably connected to any computer 
or to any other peripheral. Also, a peripheral may be 
connected to the computer not directly as in conven- 
tional systenris but rather via another peripheral. There 
is generally always a port availat^le on one or more con- 
nected peripherals in an existing computer system such 
that another peripheral can generally always be con- 
nected to an existing computer system. 
[0053] One example of a flexibly connectable com- 
puter system is a USB (universal standard bus) system 
in which the conrputer and each peripheral includes a 
USB port. Another example of a flexibly connectable 
computer system is the recently contenrplated FIrewire 
system. 

[0054] A 'USB plug" is a portable device which 
mates with a USB system arxl. as opposed to peripher- 
als which contain mechaniceil elements, typically com- 
prises only memory and/or CPU and therefore is 
typically pocket-size. More generally, a USB plug is an 
example of a plug which can be plugged into a flexibly 
connectible computer system (FCCS). 
[0055] The term "FCCS plug" is used herein to refer 
to a portable device which mates with a flexibly connect- 
ible computer system and, as opposed to peripherals 
which contain mechanical elements, typically connprises 
only memory and/or CPU and therefore Is typically 
pocket-size, ft is appreciated that because each periph* 
eral connected onto a flexibly connectible computer sys- 
tem typically has at least one port, therefore, a flexibly 
connectible computer system of any configuration typi- 



cally has at least one vacant port available to interact 
with an FCCS plug. USB tokens and Rainbow tokens 
are both examples of FCCS plugs. 
[0056] Typically, each of the plurality of computer 

5 system units (computer and one or more peripherals) 
forming a conrputer system has at least two identical 
female sockets and these are interconnected by means 
of male-male cables. In this embodiment, the FCCS 
plug may comprise a male socket. However, tt is appre- 

10 dated that any suitable mating scheme may be 
ennployed to mate the computer system units and the 
the FCCS plug of the present invention. 
[0057] A known use for FCCS plugs is use in con- 
junction with software having plug-recognizing capabil- 

15 ity. Aladdin and Rainbow both market software which is 
operative only if the host computer system in which a 
particular software copy resides has plugged into it an 
FCCS plug which is recognized by the software copy. 
The Aladdin and Rainbow plugs are not used for 

20 authentication. 

[0058] Computer systems are often used to receive 
information characterizing a mobile user, who is one of 
a population of mobile users, and to process this infor- 
mation. Such information may comprise user identity 

25 authentication information, banking information, access 
rights information, etc. Conventionally, this information 
is stored on a smart card which is borne by the user and 
is presented to the computer system by him. However 
this requires the computer system to be equipped with a 

30 smart card reader, a special piece of equipment dedi- 
cated to reading the smart card. 
[0059] According to a prefen-ed embodiment of the 
present invention, information characterizirig a mobile 
user is stored on an FCCS plug. Particular advantages 

35 of this embodiment of the present invention is that the 
information is easily borne by the user, on a pocketsize 
substrate, that any flexibly connectible computer system 
of any configuration is typically capable of interacting 
with the user via the FCCS plug, and that no dedicated 

40 equipment is required by the computer in order to carry 
. - out the interaction:- 

[0060] Reference is now made to Fig. 3 which is an 
exploded front view of an FCCS plug constructed and 
operative in accordance with a prefenred embodiment of 

45 the present invention and implementing the USB key 
device of Fig. 1 . As shown, the FCCS plug of Fig. 3 
connprises a housing typically formed of two snap- 
together planar cover elements 200 and 210, between 
which reside a USB connector 220 and the PCB 25 of 

50 Fig. 1. The USB connector 220 may, for example com- 
prise a USB PLUG Sf^ < ACN-0213) device marketed 
by Aska Technologies inc.. No. 15. Alley 22. Lane 266. 
Fu Teh, 1st Rd., HsI Chih. Taipei Shien, Taiwan. The 
PCB 25 bears the elements 30, 40, 50. 60 and 70 of Fig. 

55 1 . Firmware managing the memory 240 may reside on 
the USB interface controller 230. 
[0061] Reference is additionally made to Fig. 4 
which is an exploded view of an FCCS plug constructed 
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and operative in accordance with a preferred embodi* 
ment of the present invention and Implementing the 
USB key device of Fig. 2. As shown, the FCCS plug of 
Fig. 4 comprises a housing typically formed of two snap- 
together planar cover elements 200 and 210, between 5 
which reside the USB connector 220 and a PCB 125. 
The PCB 125 bears the elements 130, 140. 150. 160 
and 170 of Fig. 2. Firmware managing the smart card 
chip 250 may reside on the USB interface controller 
230. „ 
[0062] Smart card functionalities which are prefera- 
bly provided by the FCCS plug of the present invention 
include: 

1 . Controlling access to computer networks: Smart is 
card or plug has ID information, network authenti- 
cates and allows access on that basis. Authentica- 
tion may be based upon "what you have". "Vfhat you 
are" e.g. biometric information and "what you know" 
(e.g. password). 20 

2. Digital signatures or certificates for verifying or 
authenticating the identity of the sender of a docu- 
ment. 

3. Storage of confidential information e.g. medical 
information. A smart card or plug may store confi- 25 
dential information and interact with a network 
which does not store the confidential information. 

[0063] Rgs. 5A - 58 pictorially illustrate a user-com- 
puter interaction method provided in accordance with a 30 
preferred embodiment of the present Invention for use 
by a population of flexibly connective computer sys- 
tems 300 and a population of mobile users. Information 
characterizing each mobile user, e.g. name and ID, is 
loaded into the memory of an FCCS plug 310 to be 35 
borne by that mobile user, typically via a USB interface 
controller such as unit 230 of Fig. 3. 
[0064] The plug can then be connected to one of 
the flexibly connective computer systems and the infor- 
mation characterizing the mobile user employed to per- 40 
form at least one computer operation typically - 
comprising a conventional smart card functionality such 
as authentication. 

[0065] Features of a preferred embodiment of the 
present invention are now described: 45 

a. The need for enhanced user authentication 

[0066] 

50 

Authentication is the basis for any Information secu- 
rity system. The ability to authenticate local and 
remote users is a critical issue for any LAN/Intranet, 
multi-user environment 



b. The need for encryption and confidentiality 
[0067] 

Content encryption & confidentiality becomes an 
innportant issue for both the corporation and the 
individual users 

c. The need for password and Sign-On security 
[0068] 

Password security and user password manage- 
ment are key issues for network corporate users. 
Passwords represent the single most important 
security concern in any computing environment 

[0069] There is a need today for hardware-based 
PC security tokens 

Sign-On-Key (SOK) is a hardware-based token that 
seamlessly integrates with Operating Systems & 
Applications to provide: 

- a user authentication key 

- a basis for encryption system 

- better Sign-On security and enhanced user 
password management 

- Software Security 

Authentication - 3 Basic Elements 
[0070] - - 

Something you know -> Password 

* Something you have --> Sign-On-Key 
Something you are -> e.g.. Bio-metrics 

* Assumption: Two out of the above three provide 
"good-enough" security. 

ErKS-yption 

[0071] 

* The need to encrypt data, files, disks and informa- 
tion flow is evident. 

An hardware-based token with cryptographic abili- 
ties can enhance security and ease-of use. 

Sign-On - Where are Passwords used? 

[0072] 

Log on to your 0/S 

* Log on to your Network (Local, Remote) 

* Log on to the |nternet/ISP 

* Log on to protected Web pages 

Log on to Group Ware/Communications applica- 
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tions 

Log on to other sensitive password-protected appli- 
cations 

* MS Office & other protected files 

PC Boot protection (Bios Password) 5 

Sign-On - Major Security Risks 

The Sign-On Process 

10 

[0073] The Sign-On-Key is a security hardware 
token, linked by the user to the required applications. 
Once installed the -Sign-On-Key becomes a part of the 
log-on process. Sign-On-Key provides the user with 
many security and other functional benefits. is 



Sign-On-Key Various Options 
[0075] 

Several hardware devices nnay operate as Sign-On- 
Keys: 

• Sign-On-Key USB - A small key that connects 
to the new standard USB port. USB ports are 
becoming the new connectivity standard for 
PCs and Macintosh 

- Sign-On-Key SC - A smart card based Sign- 
On- Key. Can be used with any standard smart 
card drive 



What Can Sign-On-Key Do For a User? 

[0074] 

Sign-On Security 

- Enhance security & authentication. The Sign- 
On-Key is required in addition to the user pass- 
word 



Sign-On-Key USPs & Advantages 
[0076] 

20 

Simple, intuitive, easy to use, attractive token 
* The key IS the token IS the connector 
Low cost 
High security 
25 * High functionality 



Sign-On Simplicity 

- Simplify log-on process and eliminate the 
need for a password. The Sign-On-Key 30 
replaces the password 

PasswortTAutbmatic Re-verification 

- Check for Sign-On-Key periodical ly 35 
Single-Sign-On 

- One Sign-On-Key replaces several pass- 
words for several applications 40 

Mobility & Remote Computing 

- Sign-On-Key identifies remote users 

- Sign-On-Key can be used as a data secure 45 
container 

- Theft deterrent of nx)bne PCs 
General Purpose Security Token 

50 

- RIe & data Encryption 

- Authentication 

- Certificate Key Holder 



- Memory inside token 

- Processing power 

- Automatic Password Re-verification 

- Multi token connectivity 

The Agents* solution 
Sign-On-Key Architecture 
Full Blown System. 
Sign On Agents 
[0077] 

* The Sign-On-Agent is a software interface between 
the Sign-On-Key and the application. 

* The Sign-On-Boot is a special interface for the PC 
boot password. 

* Agents may be provided for: 

- OS/Net Ware - e.g.. Windows NT. 95/98, 3x. 
Novell, Unix 

- Group Ware/Mail - e.g, Lotus Notes, Outlook, 
Eudora, 

- Enterprise Applications - e.g., SAP, Baan. 
MK, Oracle. Magic 

- Web Browsers - e.g.. Explorer. Navigator 



55 
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The Most Trivial Agent - Windows NT 
[0078] 

* The nnost trivial Agent will replace the Windows 5 
Login session 

By doing so Users may gain 

- Windows I-ogin Extra security 

- Windows Login simplification (Sign-On-Key io 
replaces password) 

Sign-On-Key Web Browsers' Agent/System 

[0079] 15 

* Sign-On-Key can be used as an authentication 
token to monitor access to secured web pages 
Web content providers need to authenticate, man- 
age and provide access to their customers so 

Sign-On-Key API (SDK) 

[0080] 

25 

* Sign-On-Key API is the Interface level between the 
Sign-On-Key and 3rd parties' applications. 

* This API may be published and opened for usage 
by certification providers, security companies and 
SSO companies. 30 

* The Sign-On-Key API will also provide encryption & 
protected memory storage services 

* Sign-On-Key -APr may be PKCS #11 based/com- 
patible 

35 

The Sign-On Process (No CA) 
[0081] 

Installation 40 

- User installs Agents tor required applications 

- User defines Sign-On Parameters for each 
application 

- User stores Sign-On information in Sign-On- 45 
Key 

* Sign-On 

- Application is started 50 

- Application reaches its Sign-On dialog 

- Application communicates with the Sign-On- 
Key 

- Sign-On permission is granted based on 
Sign-On-Key 55 



Sign-On-Key As a Secure Container 
[0082] 

In addition to unique Key ID, Sign-On-Key will con- 
tain personal protected memory area 
This memory area can be used for storing sensitive 
information and Certificates 

* Applications' ID keys like Lotus Notes ID file or PGP 
keys can be stored in this memory 

* Doing so - Sign-On-Key can be used to increase 
mobile computing security. Files IDs are stored in 
Sign-On-Key instead of disk 

Sign-On-Key An Encryption Engine & Sign-On-Key 
Crypt 

[0083] 

Sign-On-Key can be used as an encrypting device 
An encryption API may be provided, e.g., a 100% 
smart card compatible Sign-On-Key implementa- 
tion 

* Sign-On-Key Crypt is a Data/File/Hard disk encryp- 
tion utility based on Sign-On-Key. 

Sign-On-Key Certification Toolkit 

[0084] 

* SOK may use PKCS #1 1 and X509 and store certif- 
icates and/or digital IDs. 

Sign-On-Key comprises: 

[0085] 

* Sign-On-Key USB Token 

* HASP 

* Hardlock 

Initial Sign-On-Key functionaIity(Unique ID. per- 
sonal protected memory) 

* Sign-On-Key USB extension cable 

* Sign-On-Key Smart Card Token 

* Sign-On-Key API (PKCS #1 1 compliant) 
Entrust compatibilrty/link 

Windows NT Agent 

Navigator and/a Explorer Agent (S/Mime) 
Key Plus Crypt (Beta release) 

* Secure Screen Saver 
Initial marketing package 

USB proliferation & Windows 98/NT availability are 
key issues 

In the US. Germany & Israel all new PCs shipped 

are USB equipped. 

Section in Early Development stage. 

* Security Dynamics. ActivCard & Vasco control the 
market with 1st generation time-based, one-time 
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password or challenge-based tokens 
security vendors will look to expand their market 
share with second generation integrated smart card 
offerings which will support cryptography, digital 
signature storage and processing activity 

USB: The Better Connection 

[0086] 

Almost unlimited port expansion 
No add-in cards for new peripherals 

- no setting of IRQs, DMAs, etc. 

* One connection type (plug and port) 

• variety of peripherals 

- no more guesswork 

- simple setup, just plug in and go 

USB: The Better Connection 
[0087] 

* Addresses need for speed, multimedia 

- 12 Mb/s. Asynch (bulk) & Isoch (real time) 
data 

- stereo-quality digital audio 

- high frame-rate video (with compression) 

- high latency applications (force-feedback) 

No power bricks with many new peripherals 

- USB supplies up to 500mA 

PC User experience is vastly improved 

- Fewer returns and increased sales potential 

[00881 ft is appreciated that USB is only one exam- 
pie of a flexible connectivity standard and the present 
invention is not intended to be limited to USB. 
[0089] It Is appreciated that the software conrpo- 
nents of the present invention may, if desired, be imple- 
mented in ROM (read-only memory) form. The software 
components may, generally, be implemented in hard- 
ware, if desired, using converttional techniques. 
[0090] It is appreciated that various features of the 
invention which are, for clarity, described in the contexts 
of separate embodiments may also be provided in com- 
bination in a single emtxxJiment. Conversely, various 
features of the invention which are. for brevity, described 
in the context of a single embodiment may also be pro- 
vided separately or in any suitable subcombination. 
[0091] It will be appreciated by persons skilled in 
the art that the present invention is not limited to what 



has been particularly shown and described herein- 
above. Rather, the scope of the present invention is 
defined only by the claims that follow: 
[0092] Where technical features mentioned in any 

5 claim are followed by reference signs, those reference 
signs have been included just for the sole purpose of 
increasing intelligibility of the claims and accordingly, 
such reference signs do not have any limiting effect on 
the scope of each element identified by way of exampl 

10 by such reference signs. 

Claims 

1. A user-computer interaction method for use by a 
15 population of flexibly connectible conrputer systems 

and a population of mobile users, the method com- 
prising: 

storing information characterizing each mobile 
20 user on an FCCS plug to be borne by that 

mobile user; and 

accepting the FCCS plug from the mobile user 
for connection to one of the flexibly connectible 
computer systems and employing tiie infornria- 
25 tion characterizing the mobile user to perform 

at least one computer operation. 

2. A method according to claim 1 wherein said at least 
one computer operation comprises authentication, 

30 

3. An FCCS plug device to be borne by a motnle user, 
tiie FCCS plug device comprising: 

a portable device which mates with a flexibly 
35 connectible computer system and comprises a 

memory: and 

information characterizing the mobile user and 
stored in said memory accessibly to the flexibly 
connectible computer system. 

40 

- - 4. A population-ot FCCS plug devices to be borne by 
a corresponding population of nrK}bile users, the 
population of FCCS plug devices conprising: 

45 a multiplicity of portable devices each of which 

mates with a flexibly connectible computer sys- 
tem and comprises a menrtory; and 
information characterizing each mobile user in 
the population of mobile users and stored, 

50 accessibly to the flexibly connectible computer 

system, in the memory of the FCCS plug 
device to be borne by said mobile user. 

5. An FCCS plug device comprising: 

55 

a mating element operative to mate with a flex- 
ibly connectible computer system; and 
a memory connected adjacent said mating ele- 
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ment, thereby to form a portable pocket-size 
plug, wherein the memory is accessible to the 
flexibly connectible computer system via said 
mating element 

5 

6. An FCCS plug device comprising: 

a mating element operative to mate with a flex- 
ibly connectible computer system; and 
a CPU connected adjacent said mating ele- to 
ment, thereby to form a portable pocket-size 
plug, wherein the CPU has a data connection 
to the flexibly connectible computer system via 
said mating element. 

75 

7. An FCCS plug device according to claim 5 and also 
comprising a CPU connected adjacent said mating 
element, thereby to form a portable pocket-size 
plug, wherein the CPU has a data connection to the 
flexibly connectible computer system via said mat- 20 
ing element. 



8. A method according to claim 1 wherein said at least 
one computer operation comprises digital signature 
verification, 

9. A method according to claim 2 wherein said at least 
one computer operation comprises controlling 
access to computer networks. 

10. A method according to claim 1 wherein said infor- 
mation characterizing each mobile user comprises 
sensitive infOffhafion not stored in said computer 
system, thereby to enhance confidentiality 

11. A user-computer interaction method for use by a 
population of flexibly connectible computer systems 
and a population of mobile users, the method com- 
prising: 



cations to and from a USB host; 
a protocol translator operative to translate 
the USB communications from USB proto- 
col into smart card protocol and from snnart 
card protocol into USB protocol; and 
a smart card chip operative to perform at 
least one smart card function. 

13. USB key apparatus according to claim 12 wherein 
the smart card protocol comprises an IS0781 6 pro- 
tocol. 

14. USB key apparatus with data storage capabilities, 
the USB key apparatus comprising: 

a portable device configured to fit a USB port, 
the portable device comprising: 

a USB interface conveying USB communi- 
cations to and from a USB host; and 
a data storage unit storing information 
derived from the USB communications. 

15. Apparatus according to claim 12 wherein the smart 
card function conprises at least one function 
selected from the groif) consisting of secured 
memory, authentication, encryption and access 
control. 



30 1 6. Apparatus according to claim 1 4 and also compris- 
ing a microprocessor operative to receive said USB 
communications from the USB interface, to perform 
computations thereupon and to provide results of 
the computations to the data storage unit for stor- 
age. 



25 



35 



40 



Storing confidential information not stored by - 
the flexibly connectible conrputer systems on 
an FCCS plug to be borne by an individual user 
within said population of mobile users; and 
accepting the FCCS plug from the mobile user 45 
for connection to one of the flexibly connectible 
computer systems and employing the confi- 
dentiai information to perform at least one com- 
puter operation, thereby to enhance 
confidentiality. so 

12. USB key apparatus for interacting with a USB host 
via a USB port, the USB key apparatus comprising: 

a portable device configured to fit the USB port. 55 
the portable device comprising: 

a USB interface conveying USB communi- 



1 7. A method for interacting with a USB host via a USB 
port, the method conprising: 

configuring a portable device to fit the USB 
port; 

conveying USB communications to and from a 
USB host; 

translating the USB communications from USB 
protocol into smart card protocol and from 
smart card protocol into USB protocol; and 
providing a smart card chip operative to per- 
form at least one smart card function. 

18. A method according to claim 17 wherein the smart 
card protocol comprises an IS07816 protocol. 

19. A data storage method comprising: 

configuring a portable device to fit a USB port; 
conveying USB communications to and from a 
USB host; and 

storing information derived from the USB com- 
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munications. 

20. A method according to claim 17 wherein the smart 
card function comprises at least one function 
selected from the group consisting of secured s 
memory, authentication, encryption and access 
control. 

21. A method according to claim 19 and also compris- 
ing employing a microprocessor to receive said io 
USB communications from the USB interface, to 
perform computations thereupon and to provide 
results of the conriputations to the data storage unit 

for storage. 

75 
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